The IO half of the machine-wide token roll-up (B2a shipped the pure data model).
New campaign-write-cli subcommand 'refresh-tokens': for every tracked repo it runs
readActiveConfig → buildManifest → splitManifestByOwnership, stores each repo's
per-repo delta via setRepoTokens, and captures the HOME-derived shared global layer
ONCE (from the first repo that reads cleanly) via setSharedGlobal.
Capturing shared once is the structural counted-once guard: a repo that fails to
read is recorded in 'skipped' and its delta omitted, never aborting the sweep.
Idempotent — a re-sweep replaces (setters overwrite), never accumulates. Determinism
unchanged: the clock is still read only via --reference-date.
TDD: 3 integration tests first (RED → GREEN) against a fixture with a dominant global
CLAUDE.md + two repos. Counted-once guard asserts each stored delta stays a small
fraction of the shared layer (a double-fold would make each delta EXCEED shared).
Caught a per-repo-MCP misclassification (fixed in 82f881a) + a test-side shape slip
(rollUp flattens its token buckets to numbers; stored summaries keep {tokens,count}).
Suite 1198 green (1195 + 3). Manifest + all frozen snapshots untouched.
[skip-docs]: internal sweep CLI (campaign plumbing), no user-facing surface yet. The
rendered token-bill in commands/campaign.md + CLAUDE.md rows land in B2b-3.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
252 lines
9.9 KiB
JavaScript
252 lines
9.9 KiB
JavaScript
#!/usr/bin/env node
|
|
|
|
/**
|
|
* campaign-write-cli — the human-approved WRITE half of the durable campaign ledger
|
|
* (v5.7 Fase 2, Block 3c).
|
|
*
|
|
* Sibling of the read-only `campaign-cli`: where that one only reports, this one mutates.
|
|
* Every mutation is routed through the pure, invariant-enforcing lib transforms
|
|
* (`createLedger`/`addRepo`/`setRepoStatus`) + `saveLedger` — so path normalization/dedup,
|
|
* idempotent add, the status-lifecycle guard, and the `updatedDate` bump are never
|
|
* re-implemented by hand. The `/config-audit campaign` command is a thin opus orchestrator:
|
|
* it reports (via campaign-cli), proposes a change, and only on explicit human approval
|
|
* invokes a single subcommand here (Verifiseringsplikt). It NEVER auto-writes.
|
|
*
|
|
* Determinism mirrors the lib + the knowledge-refresh CLI: `--reference-date` is the only
|
|
* place the clock is read (defaulting to today), and it is passed to the transforms as the
|
|
* injected `now`, so the persisted stamps are fully testable.
|
|
*
|
|
* Naming: `-cli` suffix → NOT an orchestrated scanner (the scan-orchestrator only loads
|
|
* scanner modules), so the scanner count is unchanged and the snapshot suite stays
|
|
* byte-stable.
|
|
*
|
|
* Usage:
|
|
* node campaign-write-cli.mjs init [--ledger-file <p>] [--reference-date <YYYY-MM-DD>]
|
|
* node campaign-write-cli.mjs add <path>... [--name <n>] [--ledger-file <p>] [--reference-date <d>]
|
|
* node campaign-write-cli.mjs set-status <path> <status>
|
|
* [--findings '<json>'] [--session <id>]
|
|
* [--ledger-file <p>] [--reference-date <d>]
|
|
* node campaign-write-cli.mjs refresh-tokens [--ledger-file <p>] [--reference-date <d>]
|
|
* (all accept [--output-file <p>] to write the result payload to a file instead of stdout)
|
|
*
|
|
* `refresh-tokens` is the live cross-repo token sweep (v5.9 B2b): for every tracked
|
|
* repo it runs the manifest's always-loaded accounting (readActiveConfig → buildManifest)
|
|
* and splits each source into the shared global layer vs the repo's per-repo delta
|
|
* (splitManifestByOwnership). The shared layer is HOME-derived and identical across
|
|
* repos, so it is captured ONCE (from the first successful read) and stored at the
|
|
* ledger root; each repo gets only its delta. This is the IO half of the machine-wide
|
|
* token roll-up whose pure data model shipped in B2a.
|
|
*
|
|
* Exit codes: 0 = write performed (or no repos to sweep, a benign no-op), 1 = advisory
|
|
* no-op (init when already initialized), 3 = error (unknown subcommand, bad args,
|
|
* invalid status, untracked repo, no/corrupt ledger).
|
|
*/
|
|
|
|
import { resolve } from 'node:path';
|
|
import { writeFile } from 'node:fs/promises';
|
|
import {
|
|
createLedger,
|
|
addRepo,
|
|
setRepoStatus,
|
|
setSharedGlobal,
|
|
setRepoTokens,
|
|
rollUp,
|
|
loadLedger,
|
|
saveLedger,
|
|
defaultLedgerPath,
|
|
} from './lib/campaign-ledger.mjs';
|
|
import { readActiveConfig } from './lib/active-config-reader.mjs';
|
|
import { buildManifest, splitManifestByOwnership } from './manifest.mjs';
|
|
|
|
const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
|
|
|
|
function fail(message) {
|
|
process.stderr.write(`Error: ${message}\n`);
|
|
process.exit(3);
|
|
}
|
|
|
|
/** Parse argv into a subcommand, positional args, and the flag map. */
|
|
function parseArgs(argv) {
|
|
const positionals = [];
|
|
const flags = { ledgerFile: null, referenceDate: null, outputFile: null, name: null, findings: null, session: null };
|
|
for (let i = 0; i < argv.length; i++) {
|
|
const a = argv[i];
|
|
if (a === '--ledger-file' && argv[i + 1] !== undefined) flags.ledgerFile = argv[++i];
|
|
else if (a === '--reference-date' && argv[i + 1] !== undefined) flags.referenceDate = argv[++i];
|
|
else if (a === '--output-file' && argv[i + 1] !== undefined) flags.outputFile = argv[++i];
|
|
else if (a === '--name' && argv[i + 1] !== undefined) flags.name = argv[++i];
|
|
else if (a === '--findings' && argv[i + 1] !== undefined) flags.findings = argv[++i];
|
|
else if (a === '--session' && argv[i + 1] !== undefined) flags.session = argv[++i];
|
|
else if (a.startsWith('--')) fail(`unknown flag "${a}"`);
|
|
else positionals.push(a);
|
|
}
|
|
return { subcommand: positionals[0], rest: positionals.slice(1), flags };
|
|
}
|
|
|
|
/** Load an existing ledger, treating a parse error as a hard failure (never clobber corrupt data). */
|
|
async function loadOrFail(path) {
|
|
try {
|
|
return await loadLedger(path); // null on ENOENT (no ledger yet)
|
|
} catch (err) {
|
|
fail(`could not read ledger at ${path}: ${err.message}`);
|
|
}
|
|
}
|
|
|
|
async function emit(payload, outputFile, exitCode) {
|
|
const json = JSON.stringify(payload, null, 2);
|
|
if (outputFile) await writeFile(outputFile, json, 'utf-8');
|
|
else process.stdout.write(json + '\n');
|
|
process.exit(exitCode);
|
|
}
|
|
|
|
async function main() {
|
|
const { subcommand, rest, flags } = parseArgs(process.argv.slice(2));
|
|
|
|
if (!subcommand) fail('a subcommand is required: init | add | set-status | refresh-tokens');
|
|
|
|
const ledgerPath = resolve(flags.ledgerFile || defaultLedgerPath());
|
|
if (flags.referenceDate && !DATE_RE.test(flags.referenceDate)) fail('--reference-date must be YYYY-MM-DD');
|
|
// The clock is read here ONLY — the transforms take this injected `now` and stay pure.
|
|
const now = flags.referenceDate || new Date().toISOString().slice(0, 10);
|
|
|
|
if (subcommand === 'init') {
|
|
const existing = await loadOrFail(ledgerPath);
|
|
if (existing !== null) {
|
|
// Advisory no-op: never wipe an existing campaign.
|
|
return emit(
|
|
{ status: 'ok', action: 'init', written: false, alreadyInitialized: true, ledgerPath },
|
|
flags.outputFile,
|
|
1,
|
|
);
|
|
}
|
|
const ledger = createLedger({ now });
|
|
await saveLedger(ledgerPath, ledger);
|
|
return emit(
|
|
{
|
|
status: 'ok', action: 'init', written: true, alreadyInitialized: false, ledgerPath,
|
|
schemaVersion: ledger.schemaVersion, createdDate: ledger.createdDate, updatedDate: ledger.updatedDate,
|
|
repos: ledger.repos, rollUp: rollUp(ledger),
|
|
},
|
|
flags.outputFile,
|
|
0,
|
|
);
|
|
}
|
|
|
|
if (subcommand === 'add') {
|
|
const paths = rest;
|
|
if (paths.length === 0) fail('add requires at least one repo path');
|
|
const loaded = await loadOrFail(ledgerPath);
|
|
const autoInitialized = loaded === null;
|
|
let ledger = loaded === null ? createLedger({ now }) : loaded;
|
|
|
|
const added = [];
|
|
const skipped = [];
|
|
for (const p of paths) {
|
|
const resolved = resolve(p);
|
|
const present = ledger.repos.some((r) => r.path === resolved);
|
|
// --name applies only to a lone path; multi-add lets the lib derive each basename.
|
|
const name = paths.length === 1 ? flags.name || undefined : undefined;
|
|
ledger = addRepo(ledger, { path: p, name }, { now });
|
|
(present ? skipped : added).push(resolved);
|
|
}
|
|
await saveLedger(ledgerPath, ledger);
|
|
return emit(
|
|
{
|
|
status: 'ok', action: 'add', written: true, autoInitialized, ledgerPath,
|
|
added, skipped, repos: ledger.repos, rollUp: rollUp(ledger),
|
|
},
|
|
flags.outputFile,
|
|
0,
|
|
);
|
|
}
|
|
|
|
if (subcommand === 'set-status') {
|
|
const [path, status] = rest;
|
|
if (!path || !status) fail('set-status requires <path> <status>');
|
|
const ledger = await loadOrFail(ledgerPath);
|
|
if (ledger === null) fail(`no ledger at ${ledgerPath} — run "init" or "add" first`);
|
|
|
|
let findingsBySeverity;
|
|
if (flags.findings !== null) {
|
|
try {
|
|
findingsBySeverity = JSON.parse(flags.findings);
|
|
} catch (err) {
|
|
fail(`--findings must be valid JSON: ${err.message}`);
|
|
}
|
|
}
|
|
const opts = { now };
|
|
if (findingsBySeverity !== undefined) opts.findingsBySeverity = findingsBySeverity;
|
|
if (flags.session !== null) opts.sessionId = flags.session;
|
|
|
|
let next;
|
|
try {
|
|
next = setRepoStatus(ledger, path, status, opts);
|
|
} catch (err) {
|
|
// RangeError (bad status) or Error (untracked repo) → caller error.
|
|
fail(err.message);
|
|
}
|
|
await saveLedger(ledgerPath, next);
|
|
const resolved = resolve(path);
|
|
return emit(
|
|
{
|
|
status: 'ok', action: 'set-status', written: true, ledgerPath,
|
|
repo: next.repos.find((r) => r.path === resolved), repos: next.repos, rollUp: rollUp(next),
|
|
},
|
|
flags.outputFile,
|
|
0,
|
|
);
|
|
}
|
|
|
|
if (subcommand === 'refresh-tokens') {
|
|
const ledger0 = await loadOrFail(ledgerPath);
|
|
if (ledger0 === null) fail(`no ledger at ${ledgerPath} — run "init" or "add" first`);
|
|
|
|
let ledger = ledger0;
|
|
const swept = [];
|
|
const skipped = [];
|
|
// The shared global layer is HOME-derived and identical across every repo, so it
|
|
// is captured ONCE (from the first repo that reads cleanly) and stored at the
|
|
// ledger root — the structural guard against the historic shared-layer double-count.
|
|
let sharedSummary = null;
|
|
|
|
for (const repo of ledger0.repos) {
|
|
let split;
|
|
try {
|
|
const activeConfig = await readActiveConfig(repo.path, { verbose: false });
|
|
const { sources } = buildManifest(activeConfig);
|
|
split = splitManifestByOwnership(sources);
|
|
} catch (err) {
|
|
skipped.push({ path: repo.path, reason: err.message });
|
|
continue;
|
|
}
|
|
if (sharedSummary === null) sharedSummary = split.shared;
|
|
ledger = setRepoTokens(ledger, repo.path, split.delta, { now });
|
|
swept.push(repo.path);
|
|
}
|
|
|
|
if (sharedSummary !== null) ledger = setSharedGlobal(ledger, sharedSummary, { now });
|
|
|
|
const written = swept.length > 0;
|
|
if (written) await saveLedger(ledgerPath, ledger);
|
|
|
|
return emit(
|
|
{
|
|
status: 'ok', action: 'refresh-tokens', written, ledgerPath,
|
|
swept, skipped, sharedGlobal: ledger.sharedGlobal ?? null, rollUp: rollUp(ledger),
|
|
},
|
|
flags.outputFile,
|
|
0,
|
|
);
|
|
}
|
|
|
|
fail(`unknown subcommand "${subcommand}" — expected init | add | set-status | refresh-tokens`);
|
|
}
|
|
|
|
const isDirectRun =
|
|
process.argv[1] && resolve(process.argv[1]) === resolve(new URL(import.meta.url).pathname);
|
|
if (isDirectRun) {
|
|
main().catch((err) => {
|
|
process.stderr.write(`Fatal: ${err.message}\n`);
|
|
process.exit(3);
|
|
});
|
|
}
|